That's a crypto architecture design choice, MS opted for the user-friendly key escrow option instead of the more secure strong local key - that requires a competent user setting a strong password and saving recovery codes, understanding the disastrous implication of a key loss etc.
Given the abilities of the median MS client, the better choice is not obvious at all, while "protecting from a nation-state adversary" was definitely not one of the goals.
While you're right, they also went out of their way to prevent competent users from using local accounts and/or not upload their BitLocker keys.
I could understand if the default is an online account + automatic key upload, but only if you add an opt-out option to it. It might not even be visible by default, like, idk, hide it somewhere so that you can be sure that the median MS user won't see it and won't think about it. But just fully refusing to allow your users to decide against uploading the encryption key to your servers is evil, straight up.
I really doubt those motives are "evil." They're in the business of selling and supporting an OS. Most people couldn't safeguard a 10-byte password on their own, they're not going to have a solution for saving their encryption key that keeps it safer than it'd be with Microsoft, and that goes for both criminals (or people otherwise facing law enforcement scrutiny) and normal grandmas who just want to not have all their pictures and recipes lost.
Before recently, normal people who get arrested and have their computer seized were 100% guaranteed that the cops could read their hard drive and society didn't fall apart. Today, the chances the cops can figure out how to read a given hard drive is probably a bit less. If someone needs better security against the actual government (and I'm hoping that person is a super cool brave journalist and not a terrorist), they should be handling their own encryption at the application layer and keeping their keys safe on their own, and probably using Linux.
The OOBE (out of box experience) uploads the key by default (it tells you it’s doing it, but it’s a bit challenging to figure out how to avoid it) but any other setup method specifically asks where to back up your key, and you can choose not to. The way to avoid enrollment is to enable Bitlocker later than OOBE.
I really think that enabling BitLocker with an escrowed key during OOBE is the right choice, the protection to risk balance for a “normal” user is good. Power users who are worried about government compulsion can still set up their system to be more hardened.
The last time I've installed windows, bitlocker was enabled automatically and the key was uploaded without my consent.
Yes, you can opt out of it while manually activating bitlocker, but I find it infuriating that there's no such choice at the system installation process. It's stupid that after system installation a user supposed to renecrypt their system drive if they don't want this.
How would you even know that your opt-out request isn't silently ignored? Or your re-encrypted drive's key got backed up to the cloud because an update silently inverted a flag?
It's been legal in Australia since 2018 and frustratingly nobody seems to give a shit except for yanks trying to point out any government's injustices other than their own.
If they honestly informed customers about the tradeoff between security and convenience they'd certainly have far fewer customers. Instead they lead people to believe that they can get that convenience for free.
> tradeoff between security and convenience they'd certainly have far fewer customers
What? Most people, thinking through the tradeoff, would 100% not choose to be in charge of safeguarding their own key, because they're more worried about losing everything on their PC, than they are about going to jail. Because most people aren't planning on doing crime. Yes, I know people can be wrongly accused and stuff, but overall most people aren't thinking of that as their main worry.
If you tell people, "I'll take care of safeguarding your key for you," it sounds like you're just doing them a favor.
It would be more honest to say, "I can hold on to a copy of your key and automatically unlock your data when we think you need it opened," but that would make it too obvious that they might do so without your permission.
They're not doing them a favor. They're providing them a service.
Trust is a fundamental aspect of how the world works. It's a feature, not a bug.
Consider that e.g. your car mechanic, or domestic service (if you employ it), or housekeeping in hotel you stay, all have unsupervised access to some or all of your critical information and hardware. Yet, these people are not seen as threat actors by most people, because we trust them to not abuse that access, and we know there are factors at play to ensure that trust.
In this context, I see Microsoft as belonging to the cohort above for most people. Both MS and your house cleaner will turn over your things to police should they come knocking, but otherwise you can trust them to not snoop through your stuff with malicious intent. And if you don't trust them enough - don't buy their services.
I hope they don't wake up because they deserve to lose a lot of business after decades of abusing their monopolistic position to push software that prioritizes their own interests and not that of their customers.
Given the abilities of the median MS client, the better choice is not obvious at all, while "protecting from a nation-state adversary" was definitely not one of the goals.